Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Serverless Security Workshop

Serverless Security Workshop

ServerlessDays London, July 12th, 2019

In this workshop, you will learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora. We will cover AWS services and features you can leverage to improve the security of a serverless applications in 5 domains: identity & access management, infrastructure, data, code, logging & monitoring.

You'll start by deploying a simple serverless application. However, this application is not very secure, and we need your help to implement measures to protect this serverless API from attackers. By following different modules covering various aspects of security, you will help improve the security of the application.

The content for the workshop is available online:

https://github.com/aws-samples/aws-serverless-security-workshop

Danilo Poccia

July 12, 2019
Tweet

More Decks by Danilo Poccia

Other Decks in Programming

Transcript

  1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Serverless Security Workshop
    Danilo Poccia, Principal Evangelist @danilop
    James Beswick, Senior Developer Advocate @jbesw
    Heitor Lessa, Specialist Solutions Architect @heitor_lessa
    Simon Thulbourn, Specialist Solutions Architect @sthulb
    S e r v e r l e s s D a y s L o n d o n 2 0 1 9 . 0 7 . 1 2

    View full-size slide

  2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Agenda
    • Serverless security – is it different?
    • Security domains for serverless applications
    • Workshop scenario
    • How to secure serverless applications
    • Hands-on

    View full-size slide

  3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Sample architecture for serverless API endpoint
    Amazon API
    Gateway
    AWS
    Lambda
    Amazon
    DynamoDB
    Amazon
    RDS
    Users
    Amazon Cognito

    View full-size slide

  4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Sample architecture for serverless web app
    Amazon API
    Gateway
    AWS
    Lambda
    Amazon
    DynamoDB
    Amazon
    RDS
    Users
    Amazon
    CloudFront
    Amazon S3
    Amazon Cognito

    View full-size slide

  5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    How is serverless security different?
    Different:
    • Reduced scope
    • Ephemeral environment
    • More events can trigger your AWS Lambda
    • Old techniques might not be relevant
    But still…
    • Need to secure databases, S3 buckets, etc.
    • Need to secure your code.
    • Need to use minimum privilege access.
    • Need to monitor usage and data flow.
    https://www.protego.io/ebook/

    View full-size slide

  6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

    View full-size slide

  7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Domains of security for (serverless) applications
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring

    View full-size slide

  8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    OWASP 2017- Top 10 Web Application Security Risks
    Rank Security risks
    1 Injection
    2 Broken Authentication
    3 Sensitive Data Exposure
    4 XML External Entities (XXE)
    5 Broken Access Control
    6 Security Misconfiguration
    7 Cross-Site Scripting (XSS)
    8 Insecure Deserialization
    9 Using Components with Known
    Vulnerabilities
    10 Insufficient Logging & Monitoring
    https://www.owasp.org
    • Exploitability
    • Prevalence
    • Detectability
    • Technical impact

    View full-size slide

  9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    OWASP Top 10 mapped to security domains
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring
    • Broken Authentication(#2)
    • Broken Access Control (#5)
    • Injection (#1)
    • XXE (#4)
    • XSS (#7)
    • Insecure Deserialization (#8)
    • Using Components with Known
    Vulnerabilities (#9)
    • Sensitive Data Exposure (#3)
    • Using Components with Known
    Vulnerabilities (#9)
    • Security Misconfiguration (#6)
    • Insufficient Logging &
    Monitoring (#10)

    View full-size slide

  10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

    View full-size slide

  11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Scenario: Wild Rydes (www.wildrydes.com)

    View full-size slide

  12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    3rd party functionality– unicorn customization
    Visit beautiful
    Unicornpolis!
    Sock image Credit: Freepik from www.flaticon.com

    View full-size slide

  13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    List customization options and prices:
    GET /capes
    GET /glasses
    GET /horns
    GET /socks
    3rd party API: Unicorn customization
    Image Credit:
    Smashicons, Freepik, from www.flaticon.com
    johnny_automatic from www.openclipart.org

    View full-size slide

  14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    3rd party API: Unicorn customization
    Create and manage customizations
    POST /customizations
    GET /customizations
    GET /customizations/{id}
    DELETE /customizations/{id}

    View full-size slide

  15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Admin API: register 3rd party partners
    Register new partners
    POST /partners

    View full-size slide

  16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Workshop architecture – starting point
    Amazon API
    Gateway
    AWS
    Lambda
    Amazon
    RDS
    3rd party
    Not secure!

    View full-size slide

  17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Your task: secure the application against attackers!
    Image Credit:
    pongsakornred, Freepik from www.flaticon.com

    View full-size slide

  18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Workshop
    Link to the workshop: https://amzn.to/serverless-security
    Module 0 mandatory
    Module 1-8: Pick your own battle!
    Infrastructure
    Data
    Code
    Identity &
    Access Logging &
    Monitoring
    Module 1:
    auth
    Module 2:
    Secrects
    Module 8:
    X-Ray
    Module 4:
    Encryption
    in transit
    Module 5:
    usage plans
    Module 6:
    WAF
    Module 3:
    input
    validation
    Module 7:
    dependency
    vulnerability

    View full-size slide

  19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

    View full-size slide

  20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Identity and access management for serverless applications
    • Authenticate and authorize end-
    users/clients
    • Access between backend services
    (e.g. AWS Lambda to DynamoDB
    tables)
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring

    View full-size slide

  21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Identity and access management for serverless applications
    Access control between
    services
    Authenticate & authorize end-users/clients

    View full-size slide

  22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Workshop module 1: OAuth Client Credentials Flow
    Client
    Authorization
    server
    Resource
    server
    Client credentials
    (ClientID + Client Secret)
    Access token
    Call protected resource with access token
    protected resource response
    Resource
    server
    Authorization
    server
    Client

    View full-size slide

  23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Workshop module 1: add authentication
    Amazon API
    Gateway AWS
    Lambda
    Amazon RDS
    (Aurora MySQL)
    3rd party
    Amazon Cognito
    Client
    authentication
    AWS Lambda
    (Custom authorizer)
    Verify access
    token and scope
    Amazon DynamoDB
    (Mapping ClientID ->
    backend companyID)
    Download public key
    to validate token
    OWASP #2: Broken Authentication
    OWASP #5: Broken Access Control

    View full-size slide

  24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Workshop module 1: add authentication
    Amazon Cognito
    Admin App client:
    • Client ID: ZZZ
    • Client Secret
    Company bar app client:
    • Client ID: YYY
    • Client Secret
    Company foo app client:
    • Client ID: XXX
    • Client Secret
    Amazon Aurora
    Company table
    ID Name
    1 Foo
    2 Bar

    Mapping table
    ClientID BackendID
    XXX 1
    YYY 2
    Amazon DynamoDB

    View full-size slide

  25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Securing code for serverless applications
    • Input validation
    • Dependency vulnerabilities
    • Secrets in source code
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring

    View full-size slide

  26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Securing code for serverless applications
    Input validation Storing secrets
    • AWS WAF:
    • XSS Rules
    • SQL injection rules
    • AWS Secrets Manager
    • Systems Manager
    Dependency vulnerabilities

    View full-size slide

  27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 2: Secret Manager
    Amazon API
    Gateway AWS
    Lambda
    Amazon RDS
    (Aurora MySQL)
    3rd party
    AWS Secrets
    Manager
    CloudFormation
    Secret Rotation
    OWASP #3: Sensitive Data Exposure

    View full-size slide

  28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 3: Input Validation
    Amazon API
    Gateway
    3rd party
    AWS
    Lambda
    {
    ”unexpectedAttr":"1",
    }
    Request body
    {
    ”name":”AwesomeUnicorn",
    "imageUrl": "http://this.jpg",
    "sock": "1",
    "horn": "1",
    "glasses": "1",
    "cape": "1"
    }
    /customizations
    POST
    • OWASP #1: Injection
    • OWASP #8: Insecure Deserialization

    View full-size slide

  29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 7: Dependency Vulnerability
    • Check for vulnerabilities on
    our dependencies
    • OWASP Dependency Check:
    https://www.owasp.org/index.php/O
    WASP_Dependency_Check
    • Third party tools
    • Remove unused dependencies
    • depcheck:
    https://www.npmjs.com/package/de
    pcheck
    http://npm.anvaka.com/#/view/2d/request
    • OWASP #9: Using Components with
    Known Vulnerabilities

    View full-size slide

  30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Securing data for serverless applications
    Your responsibility:
    • Data Classification and Data Flow
    • Tokenization
    • Encryption at rest
    • Encryption in transit
    • Data Backup/Replication/Recovery
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring
    Managed backups/
    encryption

    View full-size slide

  31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Securing data for serverless applications
    Data Classification Data backup/Replication
    Data Encryption at rest
    Data Flow
    Data Encryption in transit
    Data Tokenization

    View full-size slide

  32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 4: encryption in transit
    Amazon API
    Gateway
    AWS
    Lambda
    Amazon RDS
    (Aurora MySQL)
    3rd party
    {
    host: ”database.host.com",
    user: "admin",
    password: ”xxxxxxx",
    database: "unicorn_customization",
    ssl: "Amazon RDS"
    }
    {
    host: ”database.host.com",
    user: "admin",
    password: ”xxxxxxxxx",
    database: "unicorn_customization"
    }
    OWASP #3: Sensitive Data Exposure

    View full-size slide

  33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Securing infrastructure for serverless applications
    Your responsibility:
    • DDOS protection
    • Throttling/ Rate limiting
    • Network boundaries
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring

    View full-size slide

  34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Securing infrastructure for serverless applications
    DDOS protection + Throttling/ Rate limiting Network boundaries
    • AWS WAF:
    • Geoblocking
    • IP reputation lists
    • Rate-based rules
    • Size constraint

    View full-size slide

  35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 5: Usage Plans
    Amazon API Gateway AWS
    Lambda
    Amazon
    RDS
    3rd party
    AWS Lambda
    (Custom authorizer)
    + API key
    + API key

    View full-size slide

  36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 6: WAF
    AWS
    Lambda
    3rd party Amazon
    API Gateway
    AWS WAF Amazon
    RDS

    View full-size slide

  37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Logging & monitoring for serverless applications
    • Application logs
    • Access logs
    • Control plane audit logs
    • Metrics
    • Alarms
    • Compliance validation
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring

    View full-size slide

  38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Logging & monitoring for serverless applications
    Logging and tracing Metrics Compliance validation

    View full-size slide

  39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 8: X-Ray OWASP #10: Insufficient Logging &
    Monitoring

    View full-size slide

  40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Workshop
    Link to the workshop: https://amzn.to/serverless-security
    Module 0 mandatory
    Module 1-8: Pick your own battle!
    Infrastructure
    Data
    Code
    Identity &
    Access Logging &
    Monitoring
    Module 1:
    auth
    Module 2:
    Secrects
    Module 8:
    X-Ray
    Module 4:
    Encryption
    in transit
    Module 5:
    usage plans
    Module 6:
    WAF
    Module 3:
    input
    validation
    Module 7:
    dependency
    vulnerability

    View full-size slide

  41. Thank you!
    © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    @danilop

    View full-size slide